svn commit: r218635 - releng/8.2/crypto/openssl/ssl
Simon L. Nielsen
simon at FreeBSD.org
Sun Feb 13 11:09:40 UTC 2011
Author: simon
Date: Sun Feb 13 11:09:39 2011
New Revision: 218635
URL: http://svn.freebsd.org/changeset/base/218635
Log:
MFS 218633:
Fix Incorrectly formatted ClientHello SSL/TLS handshake messages could
cause OpenSSL to parse past the end of the message.
Note: Applications are only affected if they act as a server and call
SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes
Apache httpd >= 2.3.3, if configured with "SSLUseStapling On".
The very quick merge is done to get this fix into 7.4 / 8.2.
Approved by: re (bz)
Obtained from: OpenSSL CVS
Security: http://www.openssl.org/news/secadv_20110208.txt
Security: CVE-2011-0014
Modified:
releng/8.2/crypto/openssl/ssl/t1_lib.c
Directory Properties:
releng/8.2/crypto/openssl/ (props changed)
Modified: releng/8.2/crypto/openssl/ssl/t1_lib.c
==============================================================================
--- releng/8.2/crypto/openssl/ssl/t1_lib.c Sun Feb 13 10:24:36 2011 (r218634)
+++ releng/8.2/crypto/openssl/ssl/t1_lib.c Sun Feb 13 11:09:39 2011 (r218635)
@@ -521,6 +521,7 @@ int ssl_parse_clienthello_tlsext(SSL *s,
}
n2s(data, idsize);
dsize -= 2 + idsize;
+ size -= 2 + idsize;
if (dsize < 0)
{
*al = SSL_AD_DECODE_ERROR;
@@ -559,9 +560,14 @@ int ssl_parse_clienthello_tlsext(SSL *s,
}
/* Read in request_extensions */
+ if (size < 2)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
n2s(data,dsize);
size -= 2;
- if (dsize > size)
+ if (dsize != size)
{
*al = SSL_AD_DECODE_ERROR;
return 0;
More information about the svn-src-all
mailing list